Hello, i just received this in my mail. A vulnerability has been found with your password at Honorbuddy, Demonbuddy, Buddystore, Archebuddy - TheBuddyBots. Some passwords are vulnerable to exploitation which may allow a third party to hijack your account. This may lead to your account being used without your knowledge or permission, and actions being performed under your name. Vulnerable accounts can also be bad for the board as a whole as they may enable access for automated tools to spam both the forums and other user accounts, using your username. As such we have had to reset your password. You can find your new login details below. Is this a whole site issue or an individual attack on my account?. Just trying to grasp if its an individual issue as my passwords are usually fairly strong and if I need to change other passwords as well.
I replied to the e-mail asking for more information, and answered me saying that there was going to be an announcement on the forum shortly.
Although the content of the email suggests that there's a "personal" issue with your password, I do not think there is. Unless passwords are being stored without encryption, which means the staff can see them. I doubt that. Again, I don't think it's a personal issue, but a board-wide reset. It would have been nicer for the issuer of this email to tell us what really happened, in stead of a vague one like this. It's not a matter of national security, is it ..
I would imagine it was sent hastily using a template, hence why it reads like it's the users fault... Somehow I doubt everyone's passwords were weak, as the email appears to suggest!
It appears to have been sent to all users of the forums from my observations. It certainly appears to be taken from a template, possibly from a "reset all users' passwords" vBulletin modification (or default feature of the software). I couldn't help but find it amusing that it's worded in a way that would appear to the user that they had an easy-to-guess password and that the reset was done to "help" you stay secure. It's likely that for security reasons, or a vulnerability in the vBulletin software itself that may or may not have resulted in an attack on user data, possibly including e-mail addresses and passwords, that they had to do a site-wide reset. Most likely, the passwords were fine, but due to an attack on the database or other malicious actions, they had to cover their bases. It certainly would've helped clear the confusion if Bossland (or another Moderator) would've posted an announcement at the very least to calm any concerns people had about their information being hacked server-side.
https://www.thebuddyforum.com/the-b...count-password-vulnerability.html#post2025287 the only reference needed
Heh - so the "vulnerable password" was an admin one... Explains why the email template was (presumably) used, then... Can't fault them for getting it sorted ASAP! EDIT Since the thread is locked (surprise surprise...) how did it take so long to 1) notice an admin account was compromised, 2) notice a new vBulletin plugin was installed and 3) reset passwords? July 25th to now is quite a long time for something as potentially serious as this...
Very amusing that the password they sent me could be *****ed in 15 hours on a desktop PC according to https://howsecureismypassword.net/. I know that hashes in a users table are salted but still my old password was much better.
